How to make F5 act as proxy for forwarding traffic to external website

It is possible, but has problems.

 

To be able to change from TLS1.2 to TLS1.1, you need to terminate and initiate the SSL connection to the external server.

 

That causes 2 problems:

 

1 - Your server will see a different certificate, as you don't have the external server private key, so you need to create or use another one.

 

2 - The F5 connection to the external server will not validate the external certificate, by default. You can import that the CA certificates, and setup that.

 

So, basically, create a standard virtual server with the external server IP as a destination, and source as the internal server IP or network. Also, create a pool with the external server IP, and link to the virtual server. Configure and link to the virtual server, the clientssl and serverssl profiles.

 

That is with LTM.

 

However, if you go to SWG, that is simpler:

 

https://f5.com/products/big-ip/secure-web-gateway-services-swgs

 

In that case you can setup SWG as an explicit proxy, and the request will be sent to the proxy. If should then be able to negotiate the correct TLS protocol version with the external server.

 

On LTM SSL Forward Proxy (!!! not Proxy SSL) may work for you

 

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-6-0/13.html

 

https://devcentral.f5.com/articles/whiteboard-wednesday-ssl-proxy-solutions